GraphQL API spam protection and CAPTCHA support

If the model can be modified via the GraphQL API, you must also add support to all of the relevant GraphQL mutations which may modify spammable or spam-related attributes. This definitely includes the Create and Update mutations, but may also include others, such as those related to changing a model’s confidential/public flag.

Add support to the GraphQL mutations

The main steps are:

Use include Mutations::SpamProtection in your mutation.
Pass perform_spam_check: true to the Update Service class constructor. It is set to true by default in the Create Service.
After you create or update the Spammable model instance, call #check_spam_action_response! and pass it the model instance. This call:
1. Performs the necessary spam checks on the model.
2. If spam is detected:
  - Raises a GraphQL::ExecutionError exception.
  - Includes the relevant information added as error fields to the response via the extensions: parameter. For more details on these fields, refer to the section in the GraphQL API documentation on Resolve mutations detected as spam.
If you use the standard ApolloLink or Axios interceptor CAPTCHA support described above, you can ignore the field details, because they are handled automatically. They become relevant if you attempt to use the GraphQL API directly to process a failed check for potential spam, and resubmit the request with a solved CAPTCHA response.

For example:

module Mutations
  module Widgets
    class Create < BaseMutation
      include Mutations::SpamProtection

      def resolve(args)
        service_response = ::Widgets::CreateService.new(
          project: project,
          current_user: current_user,
          params: args
        ).execute

        widget = service_response.payload[:widget]
        check_spam_action_response!(widget)

        # If possible spam was detected, an exception would have been thrown by
        # `#check_spam_action_response!`, so the normal resolve return logic can follow below.
      end
    end
  end
end

Refer to the Exploratory Testing section for instructions on how to test CAPTCHA behavior in the GraphQL API.

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support